[UnPackMe] .NET UnPackMe(SE+DNG)

[NCK]

Hi guys.

Nice to meet you.

this app was protected by Shielden+DNGuard.

Have a try,If you got it,Describe how to do it,thanks...

sorry my poor english,sorry my chinglish !

 

((o(^_ ^)o))    ((o(^_ ^)o))    ((o(^_ ^)o))    ((o(^_ ^)o))

 

UnPackMe.rar

Edited March 13, 2015 by 381400744

[NCK]

Giveng the people rose,the hand have lingering fragrance.

 

 

is there nobody?

[je9rry]

Hi 381400744,

 

This application was protected by Shielden and Dnguard!

 

I've already unpacked the fist protector(Shielden),and this application is running now...

 

But the second protector(DNGuard HVM),i don't know how to unpack it! 

 

I want someone to do......

 

UnPackMe_UnPacked1.rar

[GIV]

CodeCracker knows.

[CodeExplorer]

Over the unprotected file posted by je9rry:

- I've got to jump the .idata section to the .text section,

After that reconstruct import table using Universal Fixer.

(all ".NET" should be unmarked )

- I've got to set the "IL only" flag from .NET Directory.

- I've got to fix the entry point

After that unpack it using DNGuardHVMUnpacker.

 

[CodeExplorer]

Unverifiable PE Header/native stub.

The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest.

Edited March 12, 2015 by CodeCracker

[CodeExplorer]

The above error is annoying! The assembly won't start!

I could make it work only by decompiling with ildasm.exe

and compiling with ilasm!

Unpacked file attached!

 

UnPackMe_UnPackedSetup1_unpacked.zip

[Falcon_2015]

_{@ je9rry   now CodeCracker sharing how to unpack DNGuard HVM ,so  could you sharing how to unpack Shielden ? i know you are}

_{Willing to share happiness with us}  

[je9rry]

@codecracker  good job! 

- I've got to jump the .idata section to the .text section,    

 cann't  understand this  step. Please more detail .Thanks!  

[NCK]

@CodeCracker you are a super star in China. many people in my country has heard of you!

 

Pretty good,  great man and know how to share!

 

I'm your fans!

Edited March 13, 2015 by 381400744

[NCK]

@Falcon_2015 Unpacking shielden is a simple thing!

 

1.Dump it in memory!

 

2.All of sessions the raws overflow,you should repair them!

Edited March 13, 2015 by 381400744

[CodeExplorer]

@codecracker  good job! 

- I've got to jump the .idata section to the .text section,    

 cann't  understand this  step. Please more detail .Thanks!  

You must join the .idata section to the .text section:

I've used CFF Explorer:

- add to Virtual Size of ".text" section the Virtual Size of ".idata" section

- add to Raw Size of ".text" section the Rawl Size of ".idata" section

- delete the .idata section - header only

- set the Import Directory RVA to a good place so UniversalFixer could fix imports!

[kao]

Unverifiable PE Header/native stub.

The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest.

Could you please share the file that's having this error? I'm interested in finding out what's causing it.

[Falcon_2015]

@Falcon_2015 Unpacking shielden is a simple thing!

 

1.Dump it in memory!

 

2.All of sessions the raws overflow,you should repair them!

 

Hi 381400744:

 

    Before ,i unpack some Shielden EXE ,but i used same method to Dump and fixed this UnpackMe ,i'm failed , pls give me some guide(did you fix other part with CFF)

and do you unstander CodeCracker said Tutorial，if you Understand how to unpack your UnpackMe ,pls sharing , 

 

you said :Giveng the people rose,the hand have lingering fragrance  

 

 

 

Edited March 14, 2015 by Falcon_2015

[CodeExplorer]

@kao:

The error comes after unpacking with DNGuardHVMUnpacker!

File attached!

 

UnPackMe_UnPackedSetup2_fix_unpackedz.zip

[NCK]

@Falcon_2015 

 

please contact me whith QQ International .

 

My QQ number: 381400744

 

Edited March 13, 2015 by 381400744

[je9rry]

@CodeCracker   

I follow these steps:

- add to Virtual Size of ".text" section the Virtual Size of ".idata" section   ------- C2000+2000

- add to Raw Size of ".text" section the Rawl Size of ".idata" section       --------6000+2000

- delete the .idata section - header only   ------------------do it 

then  save file ,open it .found the import directory is empty .how to deal with it?

[NCK]

@je9rry

 

when you changed the section !

 

 

you should to rebuild import directory.......

[je9rry]

@381400744  I get it .thanks!

 

@codecracker  but i don't know how to  fix the entry point .so the DNGunpacker cann't upack it .

error message: two more TLS's IAT .

 

Can you give some advice . Thanks for your reply!

UnPackMe_UnPacked_fix.rar

Edited March 17, 2015 by je9rry

[Hadits follower]

@jerry mark ilcode box 

 

i dont know i dump exe failed to decrypt string 

Unpacked3.zip

[CodeExplorer]

@codecracker  but i don't know how to  fix the entry point .so the DNGunpacker cann't upack it .

error message: two more TLS's IAT

Find a suitable place for entry point (free 00... spaces)

The entry point should look like this:

FF2500204000

(jmp dword ptr FTs (IAT).

 

[Hadits follower]

Thanks works great . 

@jerry can you share the se unpack tut cause my unpacked string crashes 

 

jerry exe unpacked with codecracker tut 

UnPackMe_UnPacked_fix_fix_unpackedz_Final.zip

Edited March 17, 2015 by Death

[Hadits follower]

Finally done as full 

Here is tutorial how to unpack proper 

 

Edited :

 

1. Dump net from process module [ can use dotnet dumper ] 

2. remove .hvmRunt + .rsrc + .HVMRunt Delete ( header and data ) use cff

3. Find corExe by cff in string mod and find comfortamble location copy the rva use that on Impordirection RVA [CFF]

3. Use universal fixer without mark .net and fix [ For fix the mscoree.dll with corExe place in correct location ]

4. Use Cff and copy the virtualize dowrd address from section header[x] .text 

5. .Net direction flags value should be 0003 [ilcode mark]

6. use Dnguard Unpacker 

7. for run use ilasm and ildasm 

 

it is all at long last .

 

End of the game ....

 

 

Attached Unpacked4 Final Tutroial 

Unpacked4_Tutroial.zip

Edited March 17, 2015 by Death

[DragonX]

Thank all of guys~~~~

[Falcon_2015]

@Death  Nice !!!     Thank you for sharing